By Paul Buren
On the 25th of May 2018 the inevitable is going to happen; a new law that dictates how we gather, process and share personal data. This development was necessary after 20 years living with the old data protection act (1998) in the UK. Other countries within the EU have similarly old legislation those are not fit for purpose in the modern day and age.
Data gathering, processing and sharing has been an ever-increasing trend, especially with the rise of intelligent information systems. The good news for many people in the coaching, mentoring, supervision or counselling (CMSC) industry is that the changes in practise do not change much about how they run their practice. Below I will outline some of potential changes for practitioners in the CMSC industry.
Many practitioners will (rightly so) take notes during sessions or consultations. In light of the GDPR (General Data Protection Regulation) this will be considered personal data and is subject to GDPR legislation. I have seen many people being scared or unnecessarily scaring other people, this is not very helpful for many practitioners. There are a few simple things to consider:
- Make sure that your client has explicitly said ‘yes’ to you taking, storing and reviewing notes about them. My advice is to make this part of your contracting process, be extra careful when your contract is not with the client itself. GDPR is clear on consent; no consent is not an option.
- Right to be informed. If you decide to process their data in any way (for example as part of a research project) the subject has the right to be informed. Even when the data is anonymous, informing the subject that this may happen is their legal right. The client will also have the right to restrict the amount of processing you do.
- Right of access. At any given time the subject (a person you hold data on) can ask for the data you hold on their person, you will have to comply to this request within one month unless you have a very good reason to not honour their request, in that case you inform them within one month as well.
- Right to data portability. The data subject has the right to access and then share data with another party. This largely applies to banking and it services, however for CMSC practitioners this may be of importance as well. A client has the right to take the data on them and share that with another service provider or practitioner (this can also work in your advantage as you can image).
- Right of erasure. We know this as ‘the right to be forgotten’, maybe you normally store notes for a limited amount of time after the service has ended (if so tell the client about this in your contracting), the subject can ask you to destroy any data you hold on them.
- Make sure you store notes securely; the practitioner is responsible for the safety of any data held on a client. Even if you store notes in your private office you will have to ensure they are kept safe and away from anyone else but you (even partner), a lockable drawer or something similar may suffice. If you prefer to store things online, make sure you store it somewhere where you are 100% sure no one else will easily gain access, or have ownership. If your computer password is is the only thing preventing third party access you will have to rethink how you store information (two factor authentication may be a good idea). If there is some sort of data breach or accidental loss, you will have to inform the relevant supervisory authority with no delay and within 72 hours.
This list is not exhaustive, however for coaches, mentors, supervisors and counsellors these are the most important things to consider. Hopefully you will already do most of these things anyway as they are part of professional practice.
In GDPR there is a lot of talk about profiling, however this has little to do with personality profiling tools that loads of practitioners use. It is good to be aware of any data sharing that you do with the external data provider. If you use a profiling tool, does the provider of that tool gather data on your client? If yes, is it anonymous? These are some important questions that you will have to answer; a practitioner is responsible for the client’s data processing.
This is the big subject that lots of people struggle with. You may have spent years building a database of clients, potential clients and so forth; can you still use the -email- addresses you have gathered? This depends on whether and how you have acquired consent. Below you will find a flowchart to figure out whether you can use the data after the 25th of May 2018.
However, before the GDPR date you can do something to acquire consent from your current contacts. My advice is to send an email to those who haven’t or you are not sure have given explicit consent. This may also be a good moment to reconnect with potential clients that you lost touch with. If someone does not explicitly give you consent to use their data you will have to destroy their data after the 25th of May 2018. Also remember that someone who has given you their business card or email address has not given you consent to contact you for marketing purposes.
Do not be overly worried; just use common sense when in doubt. Has someone given you permission to use data in a certain way? Are you making sure data is stored securely? Some of these questions will help you to understand whether you are treating personal data in the right way. Coaches, mentors, supervisors and counsellors can mostly deliver their services in the same way as before. It is good to be aware of some minor changes in contracting and marketing, you might also consider making a privacy statement to inform your clients about the way you treat their personal data.
If you want more information about how to interpret some of the GDPR articles and general tips on how to treat data in the right way, look on the ICO website. You can decide to read the whole General Data Protection Act or a good summary, the former is very time consuming and the latter will give you a much better idea about the implications of the GDPR.